Long Title

Part I PRELIMINARY

Part II ELECTRONIC RECORDS, SIGNATURES AND CONTRACTS

Part III SECURE ELECTRONIC RECORDS AND SIGNATURES

Part IV REGULATION OF SPECIFIED SECURITY PROCEDURES AND SPECIFIED SECURITY PROCEDURE PROVIDERS

Part V USE OF ELECTRONIC RECORDS AND SIGNATURES BY PUBLIC AGENCIES

Part VI LIABILITY OF NETWORK SERVICE PROVIDERS

Part VII GENERAL

FIRST SCHEDULE Matters excluded by section 4

SECOND SCHEDULE Specified security procedures

THIRD SCHEDULE Digital signatures

FOURTH SCHEDULE Designated persons

Legislative Source Key

Legislative History

Comparative Table

PART IV
REGULATION OF SPECIFIED SECURITY PROCEDURES AND SPECIFIED SECURITY PROCEDURE PROVIDERS
Interpretation of this Part
20.
—(1)  In this Part, “designated person” means any member of a class of specified security procedure providers specified in the Fourth Schedule.
(2)  For the avoidance of doubt, a reference to this Part shall include a reference to the Second, Third and Fourth Schedules.
Specified security procedures
21.
—(1)  The Minister may, by order published in the Gazette, amend the Second Schedule to add, delete or modify any specified security procedure for the purposes of this Act.
(2)  The provisions set out in the Third Schedule shall apply to the corresponding specified security procedures.
(3)  The Minister may, by order published in the Gazette, amend the Third Schedule to make provisions relating to any of the specified security procedures, including —
(a)
specifying the conditions under which any electronic signature may be treated as a secure electronic signature;
(b)
specifying the conditions under which any electronic record may be treated as a secure electronic record;
(c)
prescribing the effect of and duties relating to the use of specified security procedures, including the rights and duties of any persons relating to the use of such procedures and specifying rules relating to the presumptions, assumption of risk, foreseeability of reliance and liability limits applicable to the use of specified security procedures; and
(d)
prescribing offences in respect of the contravention of any provision in that Schedule, and prescribing fines not exceeding $20,000 or imprisonment which may not exceed 2 years or both, that may, on conviction, be imposed in respect of any such offence.
(4)  The Minister may, by order published in the Gazette, amend the Fourth Schedule.
Regulation of specified security procedures and specified security procedure providers
22.
—(1)  The Minister may make regulations for the carrying out of this Part and, without prejudice to such general power, may make regulations for all or any of the following purposes:
(a)
the regulation, licensing or accreditation of specified security procedure providers and their authorised representatives;
(b)
safeguarding or maintaining the effectiveness and efficiency of the common security infrastructure relating to the use of secure electronic signatures and the authentication of electronic records, including the imposition of requirements to ensure interoperability between specified security procedure providers or in relation to any security procedure;
(c)
ensuring that the common security infrastructure relating to the use of secure electronic signatures and the authentication of electronic records complies with Singapore’s international obligations;
(d)
prescribing the forms and fees applicable for the purposes of this Part.
(2)  Without prejudice to the generality of subsection (1), the Minister may, in making regulations for the regulation, licensing or accreditation of specified security procedure providers and their authorised representatives —
(a)
prescribe the accounts to be kept by specified security procedure providers;
(b)
provide for the appointment and remuneration of an auditor, and for the costs of an audit carried out under the regulations;
(c)
provide for the establishment and regulation of any electronic system by a specified security procedure provider, whether by itself or in conjunction with other specified security procedure providers, and for the imposition and variation of requirements or conditions relating thereto as the Controller may think fit;
(d)
make provisions to ensure the quality of repositories and the services they provide, including provisions for the standards, licensing or accreditation of repositories;
(e)
provide for the use of any accreditation mark in relation to the activities of specified security procedure providers and for controls over the use thereof;
(f)
prescribe the duties and liabilities of specified security procedure providers registered, licensed or accredited under this Act in respect of their customers; and
(g)
provide for the conduct of any inquiry into the conduct of specified security procedure providers and their authorised representatives and the recovery of the costs and expenses involved in such an inquiry.
(3)  Without prejudice to the generality of subsection (1), the Minister may make regulations to provide for the cross-border recognition of specified security procedure providers or specified security procedures or any processes or records related thereto, including any requirements —
(a)
relating to interoperability arrangements with the specified security procedure providers;
(b)
whether the specified security procedure providers satisfy certain requirements applicable to specified security procedure providers registered, accredited or licensed under this Act;
(c)
whether the specified security procedures, processes or records satisfy certain requirements applicable to specified security procedures, processes or records (as the case may be) under this Act;
(d)
that the processes or records have been guaranteed by a specified security procedure provider registered, accredited or licensed under this Act;
(e)
that —
(i)
the specified security procedure providers have been registered, accredited or licensed;
(ii)
the processes have been specified; or
(iii)
the records have been registered,
under a particular registration, accreditation or licensing scheme (as the case may be) established outside Singapore; or
(f)
that the specified security procedure providers, specified security procedures, processes or records have been recognised under a particular bilateral or multilateral agreement with Singapore.
(4)  Regulations made under this section may provide that a contravention of a specified provision shall be an offence and may provide penalties for a fine not exceeding $50,000 or imprisonment for a term not exceeding 12 months or both.
[ETA, ss. 42, 43 and 46]
Controller may give directions for compliance
23.
—(1)  The Controller may, by notice in writing, direct any designated person, or any officer, employee or authorised representative of a designated person —
(a)
to take such measures or stop carrying on such activities as are specified in the notice if they are necessary to ensure compliance with this Part; or
(b)
to co-operate with any other designated persons or public agencies as the Controller thinks necessary in the case of a public emergency.
(2)  Any person who fails to comply with any direction specified in a notice issued under subsection (1) shall be guilty of an offence and shall be liable on conviction to a fine not exceeding $50,000 or to imprisonment for a term not exceeding 12 months or to both.
(3)  If any doubt arises as to the existence of a public emergency for the purposes of subsection (1)(b), a certificate signed by the Minister delivered to the designated person shall be conclusive evidence of the matters stated therein.
[ETA, s. 51]
Power to investigate
24.
—(1)  The Controller or an authorised officer may investigate the activities of any designated person, or any officer, employee or authorised representative of a designated person, in relation to their compliance with this Part.
(2)  For the purposes of subsection (1), the Controller may in writing issue an order to any designated person, or any officer, employee or authorised representative of a designated person, to further an investigation under this section or to secure compliance with this Part, including an order to produce records, accounts, data and documents kept by the designated person, and to allow the Controller or an authorised officer to examine and copy any of them.
[ETA, ss. 52 and 55(a)]